Forensics Book 2: Investigating Hard Disk and File and Operating Systems Chapter 5: Windows Forensics II
Objectives Understand event logs Understand other audit events Understand forensic analysis of event logs Understand Windows password issues Describe some popular Windows forensic analysis tools
Introduction to Windows Forensics, Part II This chapter: Continues the study of Windows forensics Covers events and event logs Discusses password and authentication issues Describes various popular Windows forensic tools
Understanding Events Whenever an event occurs, the operating system logs the event Event Any occurrence that the operating system or a program wants to keep track of or alert the user about Some events are recorded by default Others are recorded based on the audit configuration maintained in the PolAdEvt registry key Systems configured as domain controllers have File Replication and Directory Service event logs Systems configured as domain name servers (DNS) have DNS event logs
Understanding Events (continued) Table 5-1 The event logging system keeps track of different types of logon events
Event Log File Format Windows event log is stored in a binary format with distinct, recognizable features Each event log consists of a header section and a series of event records Event log is maintained as a circular buffer Event log header Contained in the first 48 bytes of a valid event log file Consists of 12 distinct DWORD values Event record structure Basic header for an event record is 56 bytes
Event Log File Format (continued) Table 5-2 The event log header consists of 12 DWORD values, nine of which are listed here
Event Log File Format (continued) Table 5-3 The event record header is a 56-byte structure
Vista Event Logs Vista uses an XML format for storing events Supports central collection of event records XML General-purpose specification for markup programming languages Allows the user to define specific elements to aid in sharing structured data among different types of computers with different operating systems and applications wevtutil command Retrieves information about the Windows event log that is not readily apparent via the Event Viewer
Vista Event Logs (continued) Figure 5-1 An investigator can list all the event logs available using wevtutil.
Vista Event Logs (continued) Figure 5-2 An investigator can view configuration information about specific event logs using wevtutil.
IIS Logs Microsoft s Internet Information Server (IIS) Popular Web server platform IS Web server logs are most often maintained in the %WinDir%\System32\LogFiles directory Each virtual server has its own subdirectory for log files, named for the server itself By default, the log files are in ASCII format Are easily openable and searchable IIS logs will generally have column headers located at the top of the file
Parsing IIS Logs Managing and configuring IIS through the IIS Management Console Possible only on a system that has IIS installed and running By default, logging is enabled and is configured to use the W3C Extended Log File Format setting Logs are stored in the format exyymmdd.log
Parsing IIS Logs (continued) Table 5-4 These are the fields in an IIS log (continues)
Parsing IIS Logs (continued) Table 5-4 These are the fields in an IIS log (continued)
Parsing IIS FTP Logs FTP logs record the same fields that IIS Web logs do, except for the following: cs-uri-query cs-host cs(user-agent) cs(cookie) cs(referrer) sc-substatus FTP logs are stored in the following location: %WinDir%\System32\LogFiles\MSFTPSVC1\exyym mdd.log
Parsing DHCP Server Logs Dynamic Host Configuration Protocol (DHCP) Service provided by a server in which the server assigns a client machine an IP address upon request Microsoft server products all provide DHCP service if it is enabled and configured DHCP Service Activity Logs are created by the DHCP service Logs are stored in the following location by default: %SystemRoot%\System32\DHCP Logs are stored on a daily basis
Parsing DHCP Server Logs (continued) Table 5-6 This describes the information in a DHCP log
Parsing Windows Firewall Logs When logging is enabled, Windows Firewall logs are stored in %SystemRoot%\pfirewall.log Stores data in the file objects.data Located in %SystemRoot%\System32\wbem\Repository\FS\ Windows Firewall log contains a header at the top that describes the software and version, the time format, and the fields
Using the Microsoft Log Parser Powerful and versatile log-parsing tool that uses SQL-like queries Command to get all of the information from the System event log: LogParser.exe -o:datagrid select * from system
Using the Microsoft Log Parser (continued) Figure 5-3 An investigator can feed SQL-like queries to Log Parser to get specific information about an event log.
Evaluating Account Management Events Account management category of events Records changes to accounts and group membership Includes: Creation, deletion, and disabling of accounts Modifying which accounts belong to which groups Account lockouts and reactivations Various event IDs are associated with changes to accounts
Evaluating Account Management Events (continued) Table 5-7 This table describes the different group membership event IDs
Interpreting File and Other Object- Access Events Object-access audit category Allows administrators to configure the event logs to record access to various objects on the system Access attempts are recorded in the event logs using three different event IDs: 560, 567, and 562 When a process needs access to some object, it first opens a handle to that object Handle is simply a shorthand way of referring to an object The file will receive a handle ID, and the process will refer to that file by its handle ID
Examining Audit-Policy Change Events Attackers will frequently attempt to disable auditing Modifications to the audit policy are recorded as event ID 612 entries In the audit policy + symbols indicate which events are being audited symbols show which events are not being audited Audit policy of the domain controller takes precedence over changes made to the local audit policy on an individual computer
Examining System Log Entries System event log Records events relating to system behavior, including: Changes to the operating system Changes to the hardware configuration Device driver installation Starting and stopping of services Whenever a service is started or stopped, the Service Control Manager sends a stop signal to the service Simultaneously sends a message (event ID 7035) to the System event log
Examining Application Log Entries Application event log Contains messages from both the operating system and various programs Many utilities send messages to the Application log Especially antivirus and other system-protection programs Virtual Network Computing (VNC) Allows remote connections VNC application records connections to the VNC server, with the IP and port from which the connection originated, in the Application log
Using EnCase to Examine Windows Event Log Files EnCase parses Windows event log files by means of an EnScript EnScript is provided in the Sweep Case series EnCase does not rely on the Windows API to process the event logs EnCase can process event logs that are reported as corrupt by those viewers that rely on the Windows API Investigator can use EnCase to locate event log files with its Conditions feature, which is, in essence, a filtering system
Using EnCase to Examine Windows Event Log Files (continued) Figure 5-4 EnCase allows an investigator to find the event log files on a system.
EnCase Windows Event Log Parser Figure 5-5 An investigator can choose which event logs to parse and how to group those events in Windows Event Log Parser.
Windows Event Log File Internals Windows event log files Databases with the records related to the system, security, and applications Stored in separate files named SysEvent.evt, SecEvent.evt, and AppEvent.evt, respectively Stored in the %SystemRoot%\system32\config folder Each file has a header, a floating footer of sorts, and records To keep the files from becoming fragmented, the operating system may allocate large contiguous cluster runs to the event log files
Repairing Corrupted Event Log Databases Log file will be reported as corrupt when: The four critical fields appearing in both the header and the floating footer are out of sync The file status byte is a value other than 0x00 or 0x08 If a file is reported as corrupt, an investigator can use a hex editor to repair the file status byte The next step in the repair process: synchronize the four critical fields in the header with the current values found in the floating footer
Repairing Corrupted Event Log Databases (continued) Figure 5-6 An investigator needs to copy this 16-byte string when repairing a corrupt event log.
Repairing Corrupted Event Log Databases (continued) Figure 5-7 The investigator needs to paste the 16-byte string here to repair the event log.
Repairing Corrupted Event Log Databases (continued) Figure 5-8 The investigator can view the repaired event log in Event Viewer.
Understanding Windows Password Storage Windows systems store their user and password data in one of two places: Security Account Manager (SAM) file Active Directory SAM file is located in the %SystemRoot%\System32\Config folder File exists as a registry hive file Active Directory database information resides on the domain controller in a file called ntds.dit Located in the %SystemRoot%\ntds directory
Hashing Passwords Password is run through a specific algorithm that converts the password into a numeric value This value, called the hash value or simply the hash of the password, is then stored in lieu of the actual password Hashing algorithm Also called hash function Group of algorithms called one-way functions Whenever a particular password is used as the input to the function, it will always generate the same hash value Likelihood of two separate passwords generating the same hash value is low
Hashing Passwords (continued) Authentication steps: User first selects a password System calculates the password hash value System records the resulting hash value along with the account name in the SAM or ntds.dit file When a user attempts to authenticate System takes the password that the user provides during the authentication attempt, runs it through the hash function, and compares the resulting hash value to the hash value stored in the password file If the two are the same, the authentication proceeds If the two are different, the authentication fails
Hashing Passwords (continued) Windows hash functions Modern Windows operating systems mainly use two different hash functions NT LanMan (NTLM) hash LanMan (LM) hash
Cracking Windows Passwords Stored on Running Systems Figure 5-10 An attacker goes through an iterative guessing process until the two hashes match.
Exploring Windows Authentication Mechanisms Windows systems use one of three main types of authentication mechanisms to access remote computers: LanMan authentication NTLM authentication Kerberos
LanMan Authentication Relies on a hash to determine whether a remote user has provided a valid username/password combination LanMan hash is never actually sent across the network during an authentication session Attack methods Replay attack Attacker copies the authentication message as it crosses the wire Resends that message at a later date to impersonate the user
LanMan Authentication (continued) Figure 5-11 The actual LanMan hash is never sent over the network in the LanMan authentication technique.
LanMan Authentication Attack methods (continued) Known plain-text attack Attacker knows both the encrypted form of a communication and the original message that was encrypted LanMan authentication mechanism starts to break down when the complexity (or lack thereof) of its key is examined
NTLM and Kerberos Authentication More secure than its predecessor Hash is calculated across the entire case-sensitive password Resulting in a 16-byte hash Hash is created using the MD4 hash algorithm Changes make the NTLM password less susceptible to brute-force cracking Main problem When a client uses the NTLM authentication, the client also sends the LanMan hash as part of the authentication communication
NTLM and Kerberos Authentication (continued) Figure 5-12 The NTLM authentication method is more secure than the LanMan method.
NTLM and Kerberos Authentication (continued) Kerberos Secure option available to Windows computers Relies on a system of security, or access, tickets that are issued by computers designated as ticket-granting authorities Microsoft implementation still uses the NTLM hash as a starting point for identifying that a user knows the correct password Verification of the user s identity takes place between the domain controller and the client
Sniffing and Cracking Windows Authentication Exchanges Authentication takes places whenever a process on one system attempts to access a resource on another system When a process needs to access a remote system Attempts to authenticate to the remote system by providing the credentials for the account whose security context it is using When the user selects a share existing on another system Computer will automatically attempt to authenticate to the remote system by using the current user s account name and password information
Sniffing and Cracking Windows Authentication Exchanges (continued) Sniffing If an attacker controls that remote system, or if the attacker is able to monitor communication between the victim system and the remote system Attacker can potentially sniff the authentication attempt and use it to crack the user s password Cain and Abel Cain has many different capabilities Among them is a network sniffer that is designed to look for passwords exchanged during various types of authentication exchanges Abel acts as a remote sensor for Cain
Cracking Offline Passwords Certain tools can extract password data from the SAM files of computers Encrypting File System (EFS) Allows data to be stored on a disk in an encrypted format automatically without manual action by the user One way to recover files encrypted with EFS Crack the passwords of the users accounts Make a duplicate working copy of the hard drive Boot the computer using the working copy of the drive Log in as the appropriate user, and view the file
Tool: Helix Helix Customized distribution of the Knoppix Live Linux CD Designed not to touch the host computer in any way Forensically sound Will not automatically mount swap space or any attached devices Focuses on incident response and forensics tools
Tools Present on Helix CD for Windows Forensics (continued) Tools on the Helix CD for Windows forensics include: Windows Forensics Toolchest (WFT) Incident Response Collection Report (IRCR2) First Responder s Evidence Disk (FRED) First Responder Utility (FRU) Security Reports (SecReport) MD5 Generator Command Shell File Recovery Rootkit Revealer
Tools Present on Helix CD for Windows Forensics (continued) Figure 5-13 Helix provides a variety of different forensic tools.
Tools Present on Helix CD for Windows Forensics (continued) Figure 5-14 An investigator can view basic system information with Helix.
Tools Present on Helix CD for Windows Forensics (continued) Figure 5-15 Helix provides a forensic investigator with incident response tools.
Tools Present on Helix CD for Windows Forensics (continued) Helix Tool: SecReport Comprises two command-line utilities SecReport collects security information from a Windows-based system Delta compares the results of SecReport, either from any two systems or from the same system at two different times Helix Tool: Windows Forensics Toolchest (WFT) Collects security information from a Windows system and provides an automated incident response Capable of running other security tools Produces reports in HTML format
Tools Present on Helix CD for Windows Forensics (continued) Figure 5-16 WFT generates MD5 checksums for all of the logs it creates.
Tool: Sigverif Built-in Windows tool that searches for unsigned drivers on a system After Sigverif is finished running its check A list of all unsigned drivers installed on the computer is displayed The investigator can find the list of all signed and unsigned drivers found by Sigverif in the Sigverif.txt file in the %Windir% folder, typically the Winnt or Windows folder
Tool: Word Extractor Hacking tool that extracts human-understandable words from binary computer files Hacking tool that extracts human-understandable words from binary computer files Some features of Word Extractor: Replaces nonhuman words with spaces or dots for better visibility Supports drag and drop and text wrapping Saves results as text or RTF files
Tool: Word Extractor (continued) Figure 5-17 Word Extractor shows the human-readable text present in a binary file.
Tool: RegScanner Figure 5-18 RegScanner shows all of its search results in one list.
Tool: PMDump Dumps the memory contents of a process to a file without stopping the process PMDump stands for Post-Mortem Dump Investigator can save the dump information to a secondary storage medium
Tool: System Scanner System Scanner Extracts information about processes, including the IDs of all the threads and handles to DLLs Provides the ability to suspend specific threads of a specific process and to view a process s virtual memory Shows all the processes currently running on the system, the number of threads per process, and the executable path of each process List is updated every five seconds by default, but this is configurable
Tool: System Scanner (continued) Figure 5-19 An investigator can right-click on any process in System Scanner to view detailed information about the resources the process is using.
Tool: X-Ways Forensics Provides a forensic work environment Some features of X-Ways Forensics: Disk cloning and imaging, including under DOS Examining the complete directory structure inside raw image files, even spanned over several segments Native support for FAT, NTFS, ext2, ext3, CDFS, and UDF Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks Viewing and dumping physical RAM and the virtual memory of running processes Various data recovery techniques and file carving
Tool: X-Ways Forensics (continued) Figure 5-20 X-Ways Forensics allows an investigator to look at all graphics files on a system.
Tool: Traces Viewer Figure 5-21 Traces Viewer can remove all Web traces, including cookies, history entries, and cached URLs.
Tool: PE Builder Creates a bootable Windows CD-ROM that creates a BartPE (Bart Preinstalled Environment) Offers a complete Win32 environment with network support; a GUI; and FAT, NTFS, and CDFS support Investigator can use this tool to perform analysis of a system that does not contain an operating system
Tool: Ultimate Boot CD-ROM Allows an investigator to run floppy-based diagnostic tools from CD-ROM drives Without the need for an operating system Tool has over 100 diagnostic and system management utilities Types of tools include: CPU tester Memory tester Peripheral tools CPU information tools Hard disk tools
Tool: Ultimate Boot CD-ROM (continued) Figure 5-22 The Ultimate Boot CD-ROM includes many utilities that a forensic investigator may want to use.
Summary A DHCP server dynamically assigns IP addresses upon a client machine s request Windows Firewall logs are stored in %SystemRoot%\pfirewall.log Several registry values and settings could impact the forensic analysis Modifications to audit policy are recorded as event ID 612 entries
Summary (continued) The Application event log contains messages from the operating system and various programs SAM files are located in the %SystemRoot%\System32\Config folder Passwords are run through a specific hash algorithm and are stored as numeric values